@kuratchi/js 0.0.3 → 0.0.5

package/dist/compiler/template.js

@@ -3,7 +3,9 @@
  *
  * Syntax:
  *   {expression}                → escaped output
- *   {=html expression}          → raw HTML output (unescaped)
+ *   {@html expression}          → sanitized HTML output
+ *   {@raw expression}           → raw HTML output (unescaped)
+ *   {=html expression}          → legacy alias for {@raw expression}
  *   for (const x of arr) {     → JS for loop (inline in HTML)
  *     <li>{x.name}</li>
  *   }
@@ -46,6 +48,7 @@ export function compileTemplate(template, componentNames, actionNames, rpcNameMa
     const lines = template.split('\n');
     let inStyle = false;
     let inScript = false;
+    let scriptBuffer = [];
     for (let i = 0; i < lines.length; i++) {
         const line = lines[i];
         const trimmed = line.trim();
@@ -58,13 +61,30 @@ export function compileTemplate(template, componentNames, actionNames, rpcNameMa
                 inStyle = false;
             continue;
         }
-        // Track <script> blocks — emit client JS as literal, no parsing
-        if (trimmed.match(/<script[\s>]/i))
+        // Track <script> blocks — transform reactive ($:) client syntax first.
+        if (!inScript && trimmed.match(/<script[\s>]/i)) {
             inScript = true;
+            scriptBuffer = [line];
+            if (trimmed.match(/<\/script>/i)) {
+                const transformed = transformClientScriptBlock(scriptBuffer.join('\n'));
+                for (const scriptLine of transformed.split('\n')) {
+                    out.push(`__html += \`${escapeLiteral(scriptLine)}\\n\`;`);
+                }
+                scriptBuffer = [];
+                inScript = false;
+            }
+            continue;
+        }
         if (inScript) {
-            out.push(`__html += \`${escapeLiteral(line)}\\n\`;`);
-            if (trimmed.match(/<\/script>/i))
+            scriptBuffer.push(line);
+            if (trimmed.match(/<\/script>/i)) {
+                const transformed = transformClientScriptBlock(scriptBuffer.join('\n'));
+                for (const scriptLine of transformed.split('\n')) {
+                    out.push(`__html += \`${escapeLiteral(scriptLine)}\\n\`;`);
+                }
+                scriptBuffer = [];
                 inScript = false;
+            }
             continue;
         }
         // Skip empty lines
@@ -147,6 +167,159 @@ export function compileTemplate(template, componentNames, actionNames, rpcNameMa
     }
     return out.join('\n');
 }
+function transformClientScriptBlock(block) {
+    const match = block.match(/^([\s\S]*?<script\b[^>]*>)([\s\S]*?)(<\/script>\s*)$/i);
+    if (!match)
+        return block;
+    const openTag = match[1];
+    const body = match[2];
+    const closeTag = match[3];
+    if (!/\$\s*:/.test(body)) {
+        const transpiled = transpileTypeScript(body, 'client-script.ts');
+        return `${openTag}${transpiled}${closeTag}`;
+    }
+    const out = [];
+    const lines = body.split('\n');
+    const reactiveVars = new Set();
+    const rewritten = lines.map((line) => {
+        const m = line.match(/^(\s*)let\s+([A-Za-z_$][\w$]*)\s*=\s*([^;]+);\s*$/);
+        if (!m)
+            return line;
+        const indent = m[1] ?? '';
+        const name = m[2];
+        const expr = (m[3] ?? '').trim();
+        if (!expr || (!expr.startsWith('[') && !expr.startsWith('{')))
+            return line;
+        reactiveVars.add(name);
+        return `${indent}let ${name} = __k$.state(${expr});`;
+    });
+    const assignRegexes = Array.from(reactiveVars).map((name) => ({
+        name,
+        re: new RegExp(`^(\\s*)${name}\\s*=\\s*([^;]+);\\s*$`),
+    }));
+    let inReactiveBlock = false;
+    let blockIndent = '';
+    let blockDepth = 0;
+    for (const line of rewritten) {
+        let current = line;
+        for (const { name, re } of assignRegexes) {
+            const am = current.match(re);
+            if (!am)
+                continue;
+            const indent = am[1] ?? '';
+            const expr = (am[2] ?? '').trim();
+            current = `${indent}${name} = __k$.replace(${name}, ${expr});`;
+            break;
+        }
+        if (!inReactiveBlock) {
+            const rm = current.match(/^(\s*)\$:\s*(.*)$/);
+            if (!rm) {
+                out.push(current);
+                continue;
+            }
+            const indent = rm[1] ?? '';
+            const expr = (rm[2] ?? '').trim();
+            if (!expr)
+                continue;
+            if (expr.startsWith('{')) {
+                const tail = expr.slice(1);
+                out.push(`${indent}__k$.effect(() => {`);
+                inReactiveBlock = true;
+                blockIndent = indent;
+                blockDepth = 1 + braceDelta(tail);
+                if (tail.trim())
+                    out.push(`${indent}${tail}`);
+                if (blockDepth <= 0) {
+                    out.push(`${indent}});`);
+                    inReactiveBlock = false;
+                    blockIndent = '';
+                    blockDepth = 0;
+                }
+                continue;
+            }
+            const normalized = expr.endsWith(';') ? expr : `${expr};`;
+            out.push(`${indent}__k$.effect(() => { ${normalized} });`);
+            continue;
+        }
+        const nextDepth = blockDepth + braceDelta(current);
+        if (nextDepth <= 0 && current.trim() === '}') {
+            out.push(`${blockIndent}});`);
+            inReactiveBlock = false;
+            blockIndent = '';
+            blockDepth = 0;
+            continue;
+        }
+        out.push(current);
+        blockDepth = nextDepth;
+    }
+    if (inReactiveBlock)
+        out.push(`${blockIndent}});`);
+    let insertAt = 0;
+    while (insertAt < out.length) {
+        const t = out[insertAt].trim();
+        if (!t || t.startsWith('//')) {
+            insertAt++;
+            continue;
+        }
+        if (/^\/\*/.test(t)) {
+            insertAt++;
+            continue;
+        }
+        if (/^import\s/.test(t)) {
+            insertAt++;
+            continue;
+        }
+        break;
+    }
+    out.splice(insertAt, 0, 'const __k$ = window.__kuratchiReactive;');
+    const transpiled = transpileTypeScript(out.join('\n'), 'client-script.ts');
+    return `${openTag}${transpiled}${closeTag}`;
+}
+function braceDelta(line) {
+    let delta = 0;
+    let inSingle = false;
+    let inDouble = false;
+    let inTemplate = false;
+    let escaped = false;
+    for (let i = 0; i < line.length; i++) {
+        const ch = line[i];
+        if (escaped) {
+            escaped = false;
+            continue;
+        }
+        if (ch === '\\') {
+            escaped = true;
+            continue;
+        }
+        if (!inDouble && !inTemplate && ch === "'" && !inSingle) {
+            inSingle = true;
+            continue;
+        }
+        if (inSingle && ch === "'") {
+            inSingle = false;
+            continue;
+        }
+        if (!inSingle && !inTemplate && ch === '"' && !inDouble) {
+            inDouble = true;
+            continue;
+        }
+        if (inDouble && ch === '"') {
+            inDouble = false;
+            continue;
+        }
+        if (!inSingle && !inDouble && ch === '`') {
+            inTemplate = !inTemplate;
+            continue;
+        }
+        if (inSingle || inDouble || inTemplate)
+            continue;
+        if (ch === '{')
+            delta++;
+        else if (ch === '}')
+            delta--;
+    }
+    return delta;
+}
 function findMatching(src, openPos, openChar, closeChar) {
     let depth = 0;
     let quote = null;
@@ -382,8 +555,9 @@ function expandShorthands(line) {
     return line;
 }
 /**
- * Compile a single HTML line, replacing {expr} with escaped output
- * and {=html expr} with raw output. Handles attribute values like value={x}.
+ * Compile a single HTML line, replacing {expr} with escaped output,
+ * {@html expr} with sanitized HTML, and {@raw expr} with raw output.
+ * Handles attribute values like value={x}.
  */
 function compileHtmlLine(line, actionNames, rpcNameMap) {
     // Expand shorthand syntax before main compilation
@@ -405,10 +579,22 @@ function compileHtmlLine(line, actionNames, rpcNameMap) {
         // Find matching closing brace
         const closeIdx = findClosingBrace(line, braceIdx);
         const inner = line.slice(braceIdx + 1, closeIdx).trim();
-        // Raw HTML: {=html expr}
-        if (inner.startsWith('=html ')) {
+        // Sanitized HTML: {@html expr}
+        if (inner.startsWith('@html ')) {
+            const expr = inner.slice(6).trim();
+            result += `\${__sanitizeHtml(${expr})}`;
+            hasExpr = true;
+        }
+        else if (inner.startsWith('@raw ')) {
+            // Unsafe raw HTML: {@raw expr}
+            const expr = inner.slice(5).trim();
+            result += `\${__rawHtml(${expr})}`;
+            hasExpr = true;
+        }
+        else if (inner.startsWith('=html ')) {
+            // Legacy alias for raw HTML: {=html expr}
             const expr = inner.slice(6).trim();
-            result += `\${${expr}}`;
+            result += `\${__rawHtml(${expr})}`;
             hasExpr = true;
         }
         else {
@@ -610,10 +796,26 @@ function findClosingBrace(src, openPos) {
  */
 export function generateRenderFunction(template) {
     const body = compileTemplate(template);
-    return `function render(data) {
-  const __esc = (v) => {
-    if (v == null) return '';
-    return String(v)
+    return `function render(data) {
+  const __rawHtml = (v) => {
+    if (v == null) return '';
+    return String(v);
+  };
+  const __sanitizeHtml = (v) => {
+    let html = __rawHtml(v);
+    html = html.replace(/<script\\b[^>]*>[\\s\\S]*?<\\/script>/gi, '');
+    html = html.replace(/<iframe\\b[^>]*>[\\s\\S]*?<\\/iframe>/gi, '');
+    html = html.replace(/<object\\b[^>]*>[\\s\\S]*?<\\/object>/gi, '');
+    html = html.replace(/<embed\\b[^>]*>/gi, '');
+    html = html.replace(/\\son[a-z]+\\s*=\\s*(\"[^\"]*\"|'[^']*'|[^\\s>]+)/gi, '');
+    html = html.replace(/\\s(href|src|xlink:href)\\s*=\\s*([\"'])\\s*javascript:[\\s\\S]*?\\2/gi, ' $1="#"');
+    html = html.replace(/\\s(href|src|xlink:href)\\s*=\\s*javascript:[^\\s>]+/gi, ' $1="#"');
+    html = html.replace(/\\ssrcdoc\\s*=\\s*(\"[^\"]*\"|'[^']*'|[^\\s>]+)/gi, '');
+    return html;
+  };
+  const __esc = (v) => {
+    if (v == null) return '';
+    return String(v)
       .replace(/&/g, '&amp;')
       .replace(/</g, '&lt;')
       .replace(/>/g, '&gt;')
@@ -623,3 +825,4 @@ export function generateRenderFunction(template) {
   ${body}
 }`;
 }
+import { transpileTypeScript } from './transpile.js';

package/dist/compiler/transpile.d.ts

@@ -0,0 +1 @@
+export declare function transpileTypeScript(source: string, contextLabel: string, compilerOptions?: Record<string, unknown>): string;

package/dist/compiler/transpile.js

@@ -0,0 +1,61 @@
+import { createRequire } from 'node:module';
+import * as fs from 'node:fs';
+import { fileURLToPath } from 'node:url';
+const require = createRequire(import.meta.url);
+let tsImpl;
+let bunTranspiler;
+function transpileWithBun(source) {
+    const BunRuntime = globalThis.Bun;
+    if (!BunRuntime?.Transpiler)
+        return null;
+    if (!bunTranspiler) {
+        bunTranspiler = new BunRuntime.Transpiler({ loader: 'ts' });
+    }
+    const output = bunTranspiler.transformSync(source);
+    return typeof output === 'string' ? output.trim() : String(output).trim();
+}
+function getTypeScript() {
+    if (!tsImpl) {
+        const localTsPath = fileURLToPath(new URL('../../node_modules/typescript/lib/typescript.js', import.meta.url));
+        if (fs.existsSync(localTsPath)) {
+            tsImpl = require(localTsPath);
+        }
+        else {
+            tsImpl = require(require.resolve('typescript', { paths: [process.cwd()] }));
+        }
+    }
+    return tsImpl;
+}
+function formatDiagnostic(diag) {
+    if (!diag.file || typeof diag.start !== 'number') {
+        return getTypeScript().flattenDiagnosticMessageText(diag.messageText, '\n');
+    }
+    const pos = diag.file.getLineAndCharacterOfPosition(diag.start);
+    const message = getTypeScript().flattenDiagnosticMessageText(diag.messageText, '\n');
+    return `${diag.file.fileName}:${pos.line + 1}:${pos.character + 1} ${message}`;
+}
+export function transpileTypeScript(source, contextLabel, compilerOptions = {}) {
+    if (!source.trim())
+        return source;
+    const bunOutput = transpileWithBun(source);
+    if (bunOutput !== null)
+        return bunOutput;
+    const ts = getTypeScript();
+    const result = ts.transpileModule(source, {
+        compilerOptions: {
+            target: ts.ScriptTarget.ES2022,
+            module: ts.ModuleKind.ESNext,
+            importsNotUsedAsValues: ts.ImportsNotUsedAsValues.Remove,
+            verbatimModuleSyntax: false,
+            ...compilerOptions,
+        },
+        reportDiagnostics: true,
+        fileName: contextLabel,
+    });
+    const diagnostics = (result.diagnostics || []).filter((diag) => diag.category === ts.DiagnosticCategory.Error);
+    if (diagnostics.length > 0) {
+        const rendered = diagnostics.map(formatDiagnostic).join('\n');
+        throw new Error(`[kuratchi compiler] TypeScript transpile failed for ${contextLabel}\n${rendered}`);
+    }
+    return result.outputText.trim();
+}

package/dist/create.js

@@ -915,7 +915,7 @@ function genLoginPage() {
   footerText="Don't have an account?"
   footerLink="Sign up"
   footerHref="/auth/signup"
-  error={__error}
+  error={signIn.error}
 >
   <form action={signIn} method="POST" class="kui-auth-form">
     <div class="kui-field">
@@ -943,7 +943,7 @@ function genSignupPage() {
   footerText="Already have an account?"
   footerLink="Sign in"
   footerHref="/auth/login"
-  error={__error}
+  error={signUp.error}
 >
   <form action={signUp} method="POST" class="kui-auth-form">
     <div class="kui-field">

package/dist/index.d.ts

@@ -6,8 +6,10 @@
 export { createApp } from './runtime/app.js';
 export { defineConfig } from './runtime/config.js';
 export { defineRuntime } from './runtime/runtime.js';
-export { getCtx, getRequest, getLocals, getParams, getParam, redirect, goto, setBreadcrumbs, getBreadcrumbs, breadcrumbsHome, breadcrumbsPrev, breadcrumbsNext, breadcrumbsCurrent, buildDefaultBreadcrumbs, } from './runtime/context.js';
-export { kuratchiDO, doRpc } from './runtime/do.js';
+export { getCtx, getEnv, getRequest, getLocals, getParams, getParam, redirect, goto, setBreadcrumbs, getBreadcrumbs, breadcrumbsHome, breadcrumbsPrev, breadcrumbsNext, breadcrumbsCurrent, buildDefaultBreadcrumbs, } from './runtime/context.js';
+export { kuratchiDO, doRpc, getDb } from './runtime/do.js';
+export { ActionError } from './runtime/action.js';
+export { PageError } from './runtime/page-error.js';
 export { extractSubdomainSlug, extractSlugFromPrefix, matchContainerViewPath, rewriteProxyLocationHeader, buildContainerRequest, createContainerEnvVars, startContainer, proxyToContainer, handleContainerRouting, forwardJsonPostToContainerDO, matchSiteViewPath, buildSiteContainerRequest, createWpContainerEnvVars, startSiteContainer, proxyToSiteContainer, } from './runtime/containers.js';
 export type { AppConfig, kuratchiConfig, DatabaseConfig, AuthConfig, RouteContext, RouteModule, RuntimeContext, RuntimeDefinition, RuntimeStep, RuntimeNext, RuntimeErrorResult, } from './runtime/types.js';
 export type { RpcOf } from './runtime/do.js';

package/dist/index.js

@@ -7,8 +7,10 @@
 export { createApp } from './runtime/app.js';
 export { defineConfig } from './runtime/config.js';
 export { defineRuntime } from './runtime/runtime.js';
-export { getCtx, getRequest, getLocals, getParams, getParam, redirect, goto, setBreadcrumbs, getBreadcrumbs, breadcrumbsHome, breadcrumbsPrev, breadcrumbsNext, breadcrumbsCurrent, buildDefaultBreadcrumbs, } from './runtime/context.js';
-export { kuratchiDO, doRpc } from './runtime/do.js';
+export { getCtx, getEnv, getRequest, getLocals, getParams, getParam, redirect, goto, setBreadcrumbs, getBreadcrumbs, breadcrumbsHome, breadcrumbsPrev, breadcrumbsNext, breadcrumbsCurrent, buildDefaultBreadcrumbs, } from './runtime/context.js';
+export { kuratchiDO, doRpc, getDb } from './runtime/do.js';
+export { ActionError } from './runtime/action.js';
+export { PageError } from './runtime/page-error.js';
 export { extractSubdomainSlug, extractSlugFromPrefix, matchContainerViewPath, rewriteProxyLocationHeader, buildContainerRequest, createContainerEnvVars, startContainer, proxyToContainer, handleContainerRouting, forwardJsonPostToContainerDO, 
 // Compatibility aliases
 matchSiteViewPath, buildSiteContainerRequest, createWpContainerEnvVars, startSiteContainer, proxyToSiteContainer, } from './runtime/containers.js';

package/dist/runtime/action.d.ts

@@ -0,0 +1,11 @@
+/**
+ * ActionError — throw from a form action to surface a user-facing error.
+ *
+ * Throwing an ActionError makes the error message available in the template
+ * as `actionName.error` (e.g. `signIn.error`). Throwing a plain Error in
+ * production shows a generic "Action failed" message instead.
+ */
+export declare class ActionError extends Error {
+    readonly isActionError = true;
+    constructor(message: string);
+}

package/dist/runtime/action.js

@@ -0,0 +1,14 @@
+/**
+ * ActionError — throw from a form action to surface a user-facing error.
+ *
+ * Throwing an ActionError makes the error message available in the template
+ * as `actionName.error` (e.g. `signIn.error`). Throwing a plain Error in
+ * production shows a generic "Action failed" message instead.
+ */
+export class ActionError extends Error {
+    isActionError = true;
+    constructor(message) {
+        super(message);
+        this.name = 'ActionError';
+    }
+}

package/dist/runtime/app.js

@@ -39,10 +39,37 @@ export function createApp(config) {
                 }
                 const route = routes[match.index];
                 context.params = match.params;
+                // --- API routes: dispatch to method handler ---
+                if ('__api' in route && route.__api) {
+                    const method = request.method;
+                    if (method === 'OPTIONS') {
+                        const handler = route['OPTIONS'];
+                        if (typeof handler === 'function')
+                            return handler(context);
+                        const allowed = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS']
+                            .filter(m => typeof route[m] === 'function').join(', ');
+                        return new Response(null, {
+                            status: 204,
+                            headers: { 'Allow': allowed, 'Access-Control-Allow-Methods': allowed },
+                        });
+                    }
+                    const handler = route[method];
+                    if (typeof handler !== 'function') {
+                        const allowed = ['GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'HEAD', 'OPTIONS']
+                            .filter(m => typeof route[m] === 'function').join(', ');
+                        return new Response(JSON.stringify({ error: 'Method Not Allowed' }), {
+                            status: 405,
+                            headers: { 'content-type': 'application/json', 'Allow': allowed },
+                        });
+                    }
+                    return handler(context);
+                }
+                // From here, route is a page route (RouteModule)
+                const pageRoute = route;
                 // --- RPC calls: POST ?/_rpc/functionName ---
                 if (request.method === 'POST' && url.searchParams.has('_rpc')) {
                     const fnName = url.searchParams.get('_rpc');
-                    const rpcFn = route.rpc?.[fnName];
+                    const rpcFn = pageRoute.rpc?.[fnName];
                     if (!rpcFn) {
                         return new Response(JSON.stringify({ error: `RPC function '${fnName}' not found` }), {
                             status: 404,
@@ -68,7 +95,7 @@ export function createApp(config) {
                     const actionParam = [...url.searchParams.keys()].find(k => k.startsWith('/'));
                     if (actionParam) {
                         const actionName = actionParam.slice(1); // remove leading /
-                        const actionFn = route.actions?.[actionName];
+                        const actionFn = pageRoute.actions?.[actionName];
                         if (!actionFn) {
                             return new Response(`Action '${actionName}' not found`, { status: 404 });
                         }
@@ -76,22 +103,22 @@ export function createApp(config) {
                             const formData = await request.formData();
                             const actionResult = await actionFn(formData, env, context);
                             // After action, re-run load and re-render with action result
-                            const loadData = route.load ? await route.load(context) : {};
+                            const loadData = pageRoute.load ? await pageRoute.load(context) : {};
                             const data = { ...loadData, actionResult, actionName };
-                            return renderPage(route, data, layouts);
+                            return renderPage(pageRoute, data, layouts);
                         }
                         catch (err) {
                             // Re-render with error
-                            const loadData = route.load ? await route.load(context) : {};
+                            const loadData = pageRoute.load ? await pageRoute.load(context) : {};
                             const data = { ...loadData, actionError: err.message, actionName };
-                            return renderPage(route, data, layouts);
+                            return renderPage(pageRoute, data, layouts);
                         }
                     }
                 }
                 // --- GET: load + render ---
                 try {
-                    const data = route.load ? await route.load(context) : {};
-                    return renderPage(route, data, layouts);
+                    const data = pageRoute.load ? await pageRoute.load(context) : {};
+                    return renderPage(pageRoute, data, layouts);
                 }
                 catch (err) {
                     return new Response(`Server Error: ${err.message}`, {

package/dist/runtime/context.d.ts

@@ -14,8 +14,10 @@ export interface BreadcrumbItem {
 }
 /** Called by the framework at the start of each request */
 export declare function __setRequestContext(ctx: any, request: Request): void;
-/** Get the execution context (waitUntil, passThroughOnException) */
-export declare function getCtx(): ExecutionContext;
+/** Get the execution context (Worker: ExecutionContext, DO: DurableObjectState) */
+export declare function getCtx(): any;
+/** Get the current environment bindings */
+export declare function getEnv<T = Record<string, any>>(): T;
 /** Get the current request */
 export declare function getRequest(): Request;
 /** Get request-scoped locals (session, auth, custom data) */
@@ -45,3 +47,7 @@ export declare function __setLocal(key: string, value: any): void;
 export declare function __getLocals(): Record<string, any>;
 /** HTML-escape a value for safe output in templates */
 export declare function __esc(v: any): string;
+/** Convert a value to a raw HTML string (unsafe, no escaping). */
+export declare function __rawHtml(v: any): string;
+/** Best-effort HTML sanitizer for {@html ...} template output. */
+export declare function __sanitizeHtml(v: any): string;

package/dist/runtime/context.js

@@ -7,6 +7,7 @@
  * Workers are single-threaded per request — module-scoped
  * variables are safe and require no Node.js compat flags.
  */
+import { __getDoSelf } from './do.js';
 let __ctx = null;
 let __request = null;
 let __locals = {};
@@ -22,12 +23,22 @@ export function __setRequestContext(ctx, request) {
         get locals() { return __locals; },
     };
 }
-/** Get the execution context (waitUntil, passThroughOnException) */
+/** Get the execution context (Worker: ExecutionContext, DO: DurableObjectState) */
 export function getCtx() {
+    const doSelf = __getDoSelf();
+    if (doSelf)
+        return doSelf.ctx;
     if (!__ctx)
         throw new Error('getCtx() called outside of a request context');
     return __ctx;
 }
+/** Get the current environment bindings */
+export function getEnv() {
+    const doSelf = __getDoSelf();
+    if (doSelf)
+        return doSelf.env;
+    return globalThis.__cloudflare_env__;
+}
 /** Get the current request */
 export function getRequest() {
     if (!__request)
@@ -121,3 +132,22 @@ export function __esc(v) {
         .replace(/"/g, '"')
         .replace(/'/g, ''');
 }
+/** Convert a value to a raw HTML string (unsafe, no escaping). */
+export function __rawHtml(v) {
+    if (v == null)
+        return '';
+    return String(v);
+}
+/** Best-effort HTML sanitizer for {@html ...} template output. */
+export function __sanitizeHtml(v) {
+    let html = __rawHtml(v);
+    html = html.replace(/<script\b[^>]*>[\s\S]*?<\/script>/gi, '');
+    html = html.replace(/<iframe\b[^>]*>[\s\S]*?<\/iframe>/gi, '');
+    html = html.replace(/<object\b[^>]*>[\s\S]*?<\/object>/gi, '');
+    html = html.replace(/<embed\b[^>]*>/gi, '');
+    html = html.replace(/\son[a-z]+\s*=\s*("[^"]*"|'[^']*'|[^\s>]+)/gi, '');
+    html = html.replace(/\s(href|src|xlink:href)\s*=\s*(["'])\s*javascript:[\s\S]*?\2/gi, ' $1="#"');
+    html = html.replace(/\s(href|src|xlink:href)\s*=\s*javascript:[^\s>]+/gi, ' $1="#"');
+    html = html.replace(/\ssrcdoc\s*=\s*("[^"]*"|'[^']*'|[^\s>]+)/gi, '');
+    return html;
+}

package/dist/runtime/do.d.ts

@@ -12,6 +12,12 @@
  * The compiler uses __registerDoResolver / __getDoStub internally.
  * User code never touches these — they're wired up from kuratchi.config.ts.
  */
+/** @internal — called by compiler-generated method wrappers */
+export declare function __setDoContext(self: any): void;
+/** Get the DO's ORM database instance */
+export declare function getDb<T = Record<string, any>>(): T;
+/** @internal — read by context.ts getCtx()/getEnv() */
+export declare function __getDoSelf(): any;
 /** @internal — called by compiler-generated init code */
 export declare function __registerDoResolver(binding: string, resolver: () => Promise<any>): void;
 /** @internal — called by compiler-generated init code */

package/dist/runtime/do.js

@@ -13,6 +13,21 @@
  * User code never touches these — they're wired up from kuratchi.config.ts.
  */
 // ── Internal: stub resolver registry ────────────────────────
+let __doSelf = null;
+/** @internal — called by compiler-generated method wrappers */
+export function __setDoContext(self) {
+    __doSelf = self;
+}
+/** Get the DO's ORM database instance */
+export function getDb() {
+    if (!__doSelf)
+        throw new Error('getDb() called outside of a DO context');
+    return __doSelf.db;
+}
+/** @internal — read by context.ts getCtx()/getEnv() */
+export function __getDoSelf() {
+    return __doSelf;
+}
 const _resolvers = new Map();
 const _classBindings = new WeakMap();
 /** @internal — called by compiler-generated init code */

package/dist/runtime/index.d.ts

@@ -5,5 +5,5 @@ export { Router, filePathToPattern } from './router.js';
 export { getCtx, getRequest, getLocals, getParams, getParam, redirect, goto, setBreadcrumbs, getBreadcrumbs, breadcrumbsHome, breadcrumbsPrev, breadcrumbsNext, breadcrumbsCurrent, buildDefaultBreadcrumbs, } from './context.js';
 export { kuratchiDO, doRpc } from './do.js';
 export { extractSubdomainSlug, extractSlugFromPrefix, matchContainerViewPath, rewriteProxyLocationHeader, buildContainerRequest, createContainerEnvVars, startContainer, proxyToContainer, handleContainerRouting, forwardJsonPostToContainerDO, matchSiteViewPath, buildSiteContainerRequest, createWpContainerEnvVars, startSiteContainer, proxyToSiteContainer, } from './containers.js';
-export type { AppConfig, Env, AuthConfig, RouteContext, RouteModule, LayoutModule, RuntimeContext, RuntimeDefinition, RuntimeStep, RuntimeNext, RuntimeErrorResult, } from './types.js';
+export type { AppConfig, Env, AuthConfig, RouteContext, RouteModule, ApiRouteModule, HttpMethod, LayoutModule, RuntimeContext, RuntimeDefinition, RuntimeStep, RuntimeNext, RuntimeErrorResult, } from './types.js';
 export type { RpcOf } from './do.js';

package/dist/runtime/page-error.d.ts

@@ -0,0 +1,16 @@
+/**
+ * PageError — throw from a route's load scope to return a specific HTTP status page.
+ *
+ * Without PageError, any thrown error becomes a 500. PageError lets you return
+ * the correct HTTP status (404, 403, 401, etc.) and an optional message.
+ *
+ * @example
+ * const post = await db.posts.findOne({ id: params.id });
+ * if (!post) throw new PageError(404);
+ * if (!post.isPublished) throw new PageError(403, 'This post is not published');
+ */
+export declare class PageError extends Error {
+    readonly isPageError = true;
+    readonly status: number;
+    constructor(status: number, message?: string);
+}

package/dist/runtime/page-error.js

@@ -0,0 +1,20 @@
+/**
+ * PageError — throw from a route's load scope to return a specific HTTP status page.
+ *
+ * Without PageError, any thrown error becomes a 500. PageError lets you return
+ * the correct HTTP status (404, 403, 401, etc.) and an optional message.
+ *
+ * @example
+ * const post = await db.posts.findOne({ id: params.id });
+ * if (!post) throw new PageError(404);
+ * if (!post.isPublished) throw new PageError(403, 'This post is not published');
+ */
+export class PageError extends Error {
+    isPageError = true;
+    status;
+    constructor(status, message) {
+        super(message);
+        this.name = 'PageError';
+        this.status = status;
+    }
+}